If your server runs on PHP, you need to update it right away. Two serious security flaws have been found in PHP that can put your website or app at risk. These bugs can be used by attackers to run SQL injection attacks or crash your service completely.
The two vulnerabilities are tracked as CVE-2025-1735 and CVE-2025-6491. They affect multiple versions of PHP, and patches are now available. So, updating your PHP version is the only way to stay safe.
1. CVE-2025-1735 – SQL Injection via PostgreSQL Extension
This one is serious. It affects the PostgreSQL extension in PHP and happens because PHP is not checking for errors properly when escaping strings.
When your app sends data to a PostgreSQL database, PHP is supposed to clean that data to prevent SQL injection. But here, PHP fails to pass error-checking parameters to the escape function. That means even if something goes wrong, the system does not know it. This can allow attackers to inject malicious SQL commands.
The bug is linked to a known issue in PostgreSQL itself (CVE-2025-1094). PHP’s own handling of the error is what makes it worse. And if the return value from the escape function is NULL, PHP still continues – which can lead to app crashes or unexpected behavior.
This vulnerability has a CVSS score of 9.1, which is critical.
2. CVE-2025-6491 – SOAP Extension Crash Bug
The second bug affects PHP’s SOAP extension. If someone creates a SoapVar object with a name longer than 2GB, it causes PHP to crash immediately.
This happens because older versions of libxml2 (used by PHP) cannot handle such long names. When that happens, PHP tries to use a NULL name value, and the app crashes with a segmentation fault.
The result? Your service goes down. This is a Denial of Service (DoS) vulnerability. It has a CVSS score of 5.9, which is moderate, but the impact can still be big if your app relies on SOAP.
Who Is Affected and What Should You Do?
If you are using any PHP version below 8.1.33, 8.2.29, 8.3.23, or 8.4.10, you are at risk. Even early versions of PHP 8.5.0-dev are vulnerable if used with older libxml2.
These issues affect any server with the PostgreSQL or SOAP extensions enabled.
To keep your server and application safe, update your PHP version immediately to any of the following patched versions: PHP 8.1.33, PHP 8.2.29, PHP 8.3.23, and PHP 8.4.10. These versions fix both problems and restore proper error handling.
